1. Technical Field
The invention relates to file systems. More particularly, the invention relates to a method and apparatus for improving file system proxy performance and security by distributing information to clients via file handles.
2. Description of the Prior Art
The Network File System (NFS), developed by Sun Microsystems, is the de facto standard for file sharing among UN*X hosts. NFS Version 3 is documented in RFC 1813. NFS is a stateless protocol. This means that the file server stores no per-client information, and there are no NFS connections. For example, NFS has no operation to open a file because this would require the server to store state information, e.g. that a file is open, what its file descriptor is, the next byte to read, etc. Instead, NFS supports a lookup procedure, which converts a filename into a file handle. This file handle is a unique, immutable identifier, usually an i-node number, or disk block address. NFS does have a read procedure, but the client must specify a file handle and starting offset for every call to read. Two identical calls to read yield the exact same results. If the client wants to read further in the file, it must call read with a larger offset.
A software program or appliance that is a proxy for the NFS protocol, or any other protocol that uses server-generated file handles, usually requires additional file metadata information to be stored either on the server or locally on the proxy, especially in the case of encrypting or authenticating client data, and also in the case of server virtualization, i.e. when serving as a single access point for clients, while providing them with access to several servers on the back end. This metadata can be used, for example, to apply different encryption keys, or to enforce access restrictions to files that are located in different logical units that are defined on the proxy, but possibly invisible to the file server.
Storage encryption appliances that secure data on NFS file servers are an example of a device that matches the above characteristics. Such an appliance forwards file handles generated by the file server to clients, and subsequently acts as a proxy for client requests for access to the file system on the server. Given a file handle from a client, the appliance needs to establish to what area (a.k.a. storage vault) the file belongs, and use the appropriate keys to encrypt or decrypt data. If the metadata used to establish this are not available on the proxy, as is typically the case with large file sets accessed by many client machines, the proxy must send additional requests to the file server to determine how to handle the client request correctly.
It would be advantageous to provide a mechanism that distributes, and effectively caches, information by inserting it into file handles that the proxy sends to clients. It would also be advantageous to provide a mechanism that improves performance by eliminating the need for the proxy to generate additional requests to the server to establish file identity.